Tag Archives: Azure AD Premium

Speaking at System Center Universe Europe 2016 – Berlin

I’m really excited that I will have two sessions at this years SCU Europe in Berlin, August 24th – 26th. System Center Universe Europe is a really great community conference that focuses on Cloud, Datacenter and Modern Workplace Management, covering technologies like Microsoft System Center, Microsoft Azure, Office 365 and Microsoft Hyper-V. Read more about SCU Europe here: http://www.systemcenteruniverse.ch/about-scu-europe.html

I have been visiting all SCU Europe Conferences since the inaugural start in Bern 2013. I met some amazing MVPs, sponsors and community leaders already then, in fact it inspired me even more to share more of my own workings and knowledge by blogging, using social media and eventually speaking at technical  and community conferences myself.  The following two years SCU Europe were held in Basel, both the great conference venue at Swissotel and lest not forget Bar Rouge had its fair share of memorable moments 🙂

This years SCU Europe will be held in Berlin from the 24th to the 26th of August. Moving the conference to Berlin is a smart move I think, it will make the conference even more accessible to most European and overseas travelers, and attract the attendance it deserve.

A few months ago I received some great news, I had two sessions accepted for SCU Europe, and received my first Microsoft MVP Award for Enterprise Mobility. I’m really happy to not only go and learn and enjoy the conference sessions and community, but also to contribute myself along with over 40 top, top speakers from all over the world!

My first session will cover “Premium Management and Protection of Identity and Access with Azure AD”:

image

In the session I will focus on Azure AD Identity Protection, Azure AD Privileged Identity Management for controlling role and admin access, how to monitor it all will Azure AD Connect Health, and how Azure Multi-Factor Authentication works with these solutions. The session will cover the recent announcements regarding Enterprise Mobility + Security.

The second session will be a deep dive on “Publish Applications with Azure AD”:

image

In this demo-packed session I will go deep into what you need to get started on publishing the different types of applications, and how to configure and troubleshoot user access to these applications. The session will cover Azure AD Single Sign-On and Password Single Sign-On, integrating Azure AD SSO with your internally developed applications, and publishing applications with Azure AD App Proxy that either use pre-authentication or pass through.

Hope to see you at the conference, and if you haven’t registered yet there is still time: http://www.systemcenteruniverse.ch/registration.html

New look coming to Azure Active Directory Access Panel #AzureAD

A quick update on coming changes to the Azure Active Directory Access Panel at https://myapps.microsoft.com.

When I log in with my Azure AD work account I see that there is a notification that a new look is coming soon and I can try it out:

image

The new applications look:

image

The new groups look, where I can see which groups I own and which I am member of:

image

For groups I can join or leave, change settings for groups I own and see members.

Looking at my logged in user in the right top corner, I see that I have a notification for pending actions, in this case I have an approval waiting to join a group I own:

image

Looking more at my profile I can change my associated Azure AD Organizations, or go to my Profile page:

image

The Profile page has a new look as well, where I can see my information, manage my account with password change or reset setup (depending on Azure AD Premium or EMS license and configurations), and I can view my devices and activity status.

image

This new look seems to be out there for everyone to try out now, and looks great so far.

And by the way: There is still no support for Edge browser when trying to run a published application that use Password SSO and require the Access Panel Extension:

image

Session Recap – Nordic Infrastructure Conference (NIC) 2016 – Publishing Azure AD Applications

This week I had the pleasure of not only revisiting Nordic Infrastructure Conference (www.nicconf.com), but also presenting a session myself: Deep Dive – Publishing Applications with Azure AD. My session was about how you with Azure AD can publish applications from a SaaS Gallery, your organization’s own applications, or internal applications that will be accessible outside with Azure AD Application Proxy.

This was the 5th anniversary of NIC, held in Oslo, Norway and the venue of Oslo Spektrum. NIC has been established as a premium event for IT-professionals, attracting internationally renowned speakers and MVPs, SMEs and Partners.

In this blog post I will do a recap of my session, for both attendees that was there and others that couldn’t be. I will also expand on some of the things we went through in the session as there were some limits to the time we could use on several demos.

Proud Speaker

The presentation and session recording will later be available at the www.nicconf.com webpage. At the end of this blog post, there is also a link to where you can download the presentation and other code samples and files that where used in the session.

Session Menu

The theme for the presentation was to present a menu for publishing Azure AD Applications with Azure AD. The menu would consist of required ingredients, recipes for publishing scenarios, consumption of the published applications from the users’ perspective, and some extras and tip for self-servicing and troubleshooting.

I started with pointing to the key features of Azure AD as an Identity and Access Management Solution, for both Cloud and On-Premise Solutions, an enabler for true Enterprise Mobility and Business Everywhere, with one common, hybrid identity. There are some important Business Value for Organizations such as controlling access to applications, single sign-on, conditional access, hybrid identity and self-servicing.

Ingredients

It is no surprise that you need Azure AD as a key ingredient 😉 But what edition of Azure AD should you use? Free, Basic or Premium? In the session I covered the most important differences relevant for Publishing Applications, where you would need at least Basic to be able to publish internal applications with Azure AD App Proxy, and Premium Edition if you want to cover all the self-servicing scenarios and advanced reporting. For all details, refer to https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/.

In addition to the application you want to publish, you will need an Azure AD identity, either a cloud based identity or a hybrid identity synchronized with Azure AD Connect.

In the first demo of the session we looked into configuring and verifying that your Azure AD tenant is ready for publishing applications.

Recipes

The publishing scenarios we looked at in the session was from the following menu of three alternatives in Azure AD:

Add an application from the gallery

The first publishing scenario we looked at in the session was publishing applications from the SaaS gallery of applications. The gallery contains over 2500 different SaaS applications, many offering both true Single Sign-On (SSO) with Azure AD and provisioning/de-provisioning of users and groups. Other applications provide password-based same sign-on.

The demos in the session used two different SaaS apps as example; Twitter and Google Apps.

Twitter is a good example of a SaaS application using password same sign on.

When configuring single sign-on for Twitter, we don’t have the option of using Azure AD Single Sign-On. Some applications can maybe support one of the federation protocols implemented in a local ADFS or a third-party provider, but that is dependent on the application. So for Twitter we will typically use Password Single Sign-On.

After configuring Password Single Sign-On, the next step is to assign account to the application. When assigning accounts, you can select that the users enter passwords themselves in the Access Panel. Or you can enter the credentials on behalf of the user.

This opens up a very interesting scenario: Consider you have a company based social media account on Twitter, Facebook, Instagram or other. All the users in the marketing department should have access to that/those application/applications, so you start handing out the username and password to the shared account. This is a risk, as users can lose the password and it can get on wrong hands, or maybe previous employees that are no longer in the company still have the username and password to the application.

With Azure AD, by entering the Twitter credentials on behalf of the user, they are never given the logon details directly. And when they leave the organization after removing the user from Azure AD, they will no longer have access. You can even apply conditional access policies for the application.

You can even configure automatic password rollover to update the password at a defined frequency:

The other part of the demo focused on Google Apps. I had an existing subscription for Google Apps, which I configured to use Azure AD Single Sign-On and account provisioning for.

There is a complete tutorial for configuring SSO and provisioning for Google Apps at https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-google-apps-tutorial/.

In the demo I created a test user named nicconf@elven.no, and assigned that user to the Google Apps application.

I showed that the user didn’t exist in the Google Apps user directory for my organization, and after a while (new user accounts are provisioned ca every 10 minutes), the user appeared in the Google Apps directory via Azure AD.

The new user can now use Azure AD SSO when logging into Google:

I’m redirected to my Azure AD tenant for signin in:

And then the user is logged in to Google:

Add an application my organization is developing

The next part of the publishing scenarios was adding applications that my organization is developing. Most times these applications will be Web Applications or Web API, but it’s possible to publish native client applications also.

When creating a web application you give it a name, and a sign-on url and unique app id uri:

Keep in mind that creating a web application here only does the publishing part of it, you still would need to create the actual application somewhere, for example as an App Service in an Azure Subcstiption.

You can have the web applications do their own authentication, for example integrating with on-premise Active Directory Federation Services, or you can have the application use Azure Active Directory as SSO provider.

In the session demo we looked at how we could quickly create a Web Application, integrate it with Azure AD for authentication and publish it. These are the main steps:

  1. Create a new Web App in you Azure Subscription. In the new Azure Portal for your subscription, under App Services create a new Web App. The Service Name must be unique, and you select either an existing resource group or create a new, and specify an App Service plan.
  2. After the Web App is created, open the application properties and under Settings find Features and Authentication / Authorization:
  3. Enable App Service Authentication and log in action. Enable Azure Active Directory as authentication provider and configure Express settings. PS! Here we can create and publish a new AD App (or select an existing one) also. We created a new one for our demo:
  4. Remember to save the Web App and the first part of the demo is done. A this point you can go to http://nicconfdemowebapp.azurewebsites.net, and be prompted to sign in with a Azure AD account from the directory the application was configured for. There is no content in the application, and every user in the Azure AD directory can access the application as long as they authenticate:
  5. The next part of this demo was to change some configuration settings for the published web application which is now published to Azure AD:
  6. I want to upload a custom logo, and configure the application so that only assigned users/groups can access it. First upload a logo:
  7. Then at the Configure page, I select that user assignment is required to access the App:
  8. Then after saving, I go to the Users and Groups page, and select to assign the users I want:

    If you assign individual users the assignment method will be Direct, if you assign Groups the members will assigned by inheritance.

  9. Now, if I start a new session to the Web App and log in with a user that has not been assigned, I will get this message:
  10. The final steps of this demo showed how you can create some content in that Web App via Visual Studio. There are several development tools you can use, I have been using Visual Studio 2015, and you can download a Community Edition that is free if you don’t have a license. In my example I created a VB.NET Web App Project, and by using a Publish Profile file and some custom code I was able to show the logged in users claim properties.You can even create App Services directly from Visual Studio, and create and publish Azure AD Web Apps from there. But if you download this file from the Web App:


    And import it to the Visual Studio project, you can publish your changes directly.

  11. This is the result for the demo web application, the code is included at the end of this blog post:

Publish an application that will be accessible from outside your network

The third scenario for publishing applications with Azure AD is the applications you want to be available from outside your network. These applications are internal web applications like SharePoint, Exchange Outlook Web Access or other internal web sites, you can even publish Remote Desktops and Network Device Enrollment Services (NDES) with Azure AD Application Proxy.

Azure AD App Proxy uses Connector Servers and Connector Groups inside the on premise infrastructure that must be able to connect to the internal URLs. These Connector Servers also can perform Kerberos Constrained Delegation for Windows Authentication, so that you can use Azure AD Single Sign-On to those internal applications.

A sample diagram showing the communication flow is shown below:

In the demo we looked at how you could install and configure a Connector installation, and organize Connector Servers in Groups for the applications to use. Here are some of the steps required:

  1. First the setting for enabling Application Proxy Services for the Azure AD Directory must be enabled, and Connectors downloaded for installation.
  2. You create and manage connector groups:
  3. And organize the installed connectors in those groups:
  4. When these requirements are in place you can start publishing your internal web applications.

For each internal published web application, you can configure authentication method, custom domain names, conditional access and self-servicing options. For details on how to do these different configurations, see previous blog posts I have published on this subject:

Consumption, Self Service and Troubleshooting

The last part of the session focused on the user experience for accessing the different published Azure AD applications.

User can access Azure AD published applications via:

  • Access Panel, https://myapps.microsoft.com
  • My Apps (iOS, Google Play)
  • App Launcher in Office 365
  • Managed Browser App with My Apps
  • Directly to URL

The Access Panel is a web-based portal that allows an end user with an organizational account in Azure AD to view and launch applications to which they have been assigned access. The Edge browser in Windows 10 is not fully supported yet, so you need to use either Internet Explorer, Chrome or Firefox for all supported scenarios. In addition, an Access Panel Extension needs to be installed for accessing Password SSO Applications.

The Access Panel is also where users can view account details, change or reset password, edit multi-factor authentication settings and preferences, and if you are using Azure AD Premium self-manage Groups.

The Access Panel via Internet Explorer:

The Access Panel via My Apps and Managed Browser Apps:

If the user is licensed for Office 365, the published applications are available via the App Launcher and URL https://portal.office.com/myapps:

Conditional Access, which is an Azure AD Premium licensed feature, can be configured for each published Azure AD Application. These settings consist of enabling Access Rules for All Users or selected Groups, and optionally with exceptions to those users/groups. The access rules settings are requiring multi-factor authentication, require MFA when not at work, or block access when not at work. For the location based rules to work there must be configured IP addresses/subnets for the company’s known IP address ranges.

Instead of Assigning Users and Groups you could also let users manage self-service access to the published applications. When configured a group will be automatically created that application, and optionally you could configure 1 or more Approvers:

The end user will access this self-servicing via the Access Panel:

The session was wrapped up with some links to troubleshooting and more resources:

Presentation and files downloads

The presentation and files used in the demos can be downloaded from this link: http://1drv.ms/1Q429rh

Thank you for attending my session and/or reading this recap!

How to enable Conditional Access for Azure RemoteApp Programs

Last week I published a blog article on how to publish the System Center Service Manager and Operations Manager Consoles as Azure RemoteApp Programs. (See https://systemcenterpoint.wordpress.com/2016/02/02/publish-operations-and-service-manager-consoles-as-azure-remoteapp-programs/)

One great feature if you are using Azure AD Premium is that you can enable Conditional Access for your Azure RemoteApp Programs. Conditional Access will enable your organization to require Multi-Factor Authentication or required that the programs only can be accessed when at work. In this blog post I will show how this can be configured.

Requirements for Conditional Access for Azure RemoteApp Programs

The following requirements must be met to enable Conditional Access for Azure RemoteApp Programs:

  • Conditional Access are an Azure AD Premium feature, so your organization must be licensed for that
  • You must have created at least one Azure RemoteApp Collection
  • At least one user/group must be assigned to a Program in the Azure RemoteApp Collection

If all these requirements are met, you will see this “Microsoft Azure RemoteApp” Application in your Azure AD:

Configuring Conditional Access for Microsoft Azure RemoteApp

Select the Microsoft Azure RemoteApp Application and go to the Configure tab:

When enabling Access Rules, you can select to enable it for All Users, or for selected Groups. Both options can have exceptions for groups that you don’t want to have Access Rules:

For the Rules you have 3 options for Conditional Access:

You can require Multi-Factor Authentication for the groups/users you selected above, every time they launch a RemoteApp Program Session. I

Another scenario, if you define your work network locations, you can require MFA when not at work, or block the application completely.

To configure trusted IPs, click on the link to get to the MFA Service Settings:

User Experience for Azure RemoteApp Conditional Access

So, how does this look for the user when accessing Azure RemoteApp Programs?

Require Multi-Factor Authentication

I launch my selected Azure RemoteApp Client, and clicking on a RemoteApp Program:

When launching the program, I’m prompted for MFA as expected:

If I sign in with the Azure RemoteApp HTML5 Preview client, https://www.remoteapp.windowsazure.com/web, the Multi-Factor Authentication will be performed before you see your Work Resources.

Block access when not at work

If I selected the Access Rule for Blocking Access when not at work, I will get this message if I’m not on a trusted network:

Conclusion

Meeting the requirements, we can verify that Conditional Access can be enabled for selected groups of users, and it will apply to all the Azure RemoteApp Programs you have published. Note that you cannot enable this specifically for selected Azure RemoteApp Programs, it will be for all the RemoteApp Programs or none.

Publish Operations Management Suite Portal with Azure AD

To be able to access the Operations Management Suite Portal for your OMS workspace, you will need to have an account with either administrator or user access to the workspace.

This could be a Microsoft Account, or if you have added an Azure Active Directory Organization to your OMS workspace, you can add Azure users or groups to your workspace.

add organization

When users from your Azure AD has been granted either administrator or user access to the OMS workspace, you can notify them that they can log on to the portal.

But, where should they go to log in? The simplest way could be to tell them to go to http://www.microsoft.com/oms, and hit the Sign In link at the top. After signing in they will be instructed to choose the OMS workspace and then be directed to the OMS portal.

Another method is to tell them the workspace url for the portal directly. This would be something like: https://<workspaceid>.portal.mms.microsoft.com/#Workspace/overview/index

You will find the Workspace ID under Settings, and sometimes you can also use the Workspace Name in the above URL as well.

image

So you can communicate to users in your organization one of the methods above on how to access the portal. Chances are that most users will forget this info after a short while. They will either search after your e-mail, or ask you again at some time.

In this blog post I will show how you can publish the Operations Management Suite Portal as an Azure AD Application, utilizing Single Sign-On, so that users can access it easily with My Apps or the App Launcher in Office 365!

Step 1 – Add Organizational User or Group Accounts to OMS Workspace

First you will need to add the Azure AD User or Group Account to your OMS Workspace. Select account type Organizational Account, and if they should be users or administrators. In the Choose User/Group type in and search for the users or groups you want to add:

image

Step 2 – Creating the Azure AD Application

Next, log on as an Azure AD Global Administrator to the classic Azure management portal (manage.windowsazure.com). Under Active Directory, select your Azure AD, and then select Applications. Select Add to start adding a new Application. Select to Add an application my organization is developing:

image

Next, specify a name for the application, and type of web application:

image

Specify URL for SIGN-ON and APP ID UR. This will be the OMS Portal url. using either workspace name or ID which you have discovered before:

image

Finishing that and the Application has been added to Azure AD:

image

Step 3 – Adding Users and Groups to the Application

Next I need to add which Users or Groups that will see the published application. At the Users and Groups page for my application, I’m notified that user assignment are not currently required to access Operations Management Suite Portal. That is correct, because users can access the portal directly if they know the URL or sign in at the Microsoft OMS site.

Adding Users or Groups here will enable the application to be visible for the users at the My Apps / App Launcher:

image

I search for and select to Assign the Groups (or Users) I want to have the application visible for.

Step 4 – Logo and optional configuration

After adding users, the application is ready to test, but first I would want to add my own logo.

image

In this example I’m using a transparent png image with dimensions 215×215, and a central image dimension of 94×94.

image

image

At the Configure page, other settings can be set such as requiring user assignment, access rules with Multi-Factor Authentication and Self-Service access for users that has not been specifically assigned access.

I this scenario I only wanted to get the application published to users, so I will not configure any more settings. We are ready to test.

Part 5 – User Access to the Published Application

Users can now access My Apps at https://myapps.microsoft.com. When logging in with the Azure AD User a list of published applications will be visible, and I can see the OMS Portal Application:

image

And, logged in to Office 365, I can select the App Launcher and show all my apps at https://portal.office.com/myapps.

image

I can pin the application to the App Launcher if I want for quicker access.

image

So to conclude this blog post, users now have a quickly accessible shortcut to the Operations Management Suite Portal using single sign-on with Azure AD.

Speaking at NIC 2016 #NICConf

I’m very excited to have a session at Nordic Infrastructure Conference, 5th anniversary edition, in Oslo February 4.-5. 2016. In exactly one month from today (with a pre-conference day starting at Feb 3rd) NIC kicks off the fifth version of this premium event for IT professionals!

Aiming for up to 1400 participants, the sessions will be presented in 7 tracks:

 

For a list of current published sessions, see this link: http://www.nicconf.com/sessions

My session will be a deep dive on publishing applications with Azure AD, http://www.nicconf.com/deep-dive–publishing-applications-with-azure-ad.

The session will cover Azure AD Single Sign-On and Password Single Sign-On, integrating Azure AD SSO with your internally developed applications, and publishing applications with Azure AD App Proxy that either use pre-authentication or pass through. The session will cover how to assign users, configure access control with MFA per-application, use self-servicing and how users can access these applications on different platforms and through which portals.

The session will honor the NIC original concept: Less slides, more demos!

I’m very much looking forward to next month, and hope to see you there!

Read more about NIC here: http://www.nicconf.com.

Publish the Squared Up SCOM Web Dashboard with Azure AD Application Proxy

The Scenario

Squared Up is a Web based Dashboard solution for SCOM environments, and since its built on HTML5 it works on any device or browser as long as you can connect to the Web Server the solution is installed on.

This should be another good scenario for using the Azure AD Application Proxy, as the Squared Up Web Site needs to be installed either on the SCOM Management Server or on a Server that can connect to the Management Server internally.

In this blog article I will describe how to publish the new Squared Up Web Site. This will give me some interesting possibilities for either pass-through or pre-authentication and controlling user access.

There are two authentication scenarios for publishing the Squared Up Web Site with Azure AD App Proxy:

  1. Publish without pre-authentication (pass through). This scenario is best used when Squared Up is running Forms Authentication, so that the user can choose which identity they want to log in with. Forms Authentication is also default mode for Squared Up installations.
  2. Publish with pre-authentication. This scenario will use Azure AD authentication, and is best used when Squared Up Web Site is running Windows Authentication so that we can have single sign-on with the Azure AD identity.

I will go through both authentication scenarios here.

I went through these steps:

Create the Application in Azure AD

In this next step, I will create the Proxy Application in Azure AD where the Self Service Portal will be published. To be able to create Proxy Applications I will need to have either an Enterprise Mobility Suite license plan, or Azure AD Basic/Premium license plan. From the Azure Management Portal and Active Directory, under Applications, I add a new Application and select to “Publish an application that will be accessible from outside your network”:

I will then give a name for my application, specify the internal URL and pre-authentication method. I name my application “Squared Up SCOM Dashboard”, use http://scomdashboardserver/SquaredUp/ as internal URL and choose Passthrough as Pre-Authentication method.

After the Proxy Application is added, there are some additional configurations to be done. If I have not already, Application Proxy for the directory have to be enabled. I have created other Proxy Applications before this, so I have already done that.

I also need to download the Application Proxy connector, install and register this on a Server that is member of my own Active Directory. The Server that I choose can be either on an On-Premise network, or in an Azure Network. As long as the Server running the Proxy connector can reach the internal URL, I can choose which Server that best fits my needs.

When choosing passthrough as authentication method, all users can directly access the Forms Based logon page as long as they know the external URL. Assigning accounts, either users or groups, will only decide which users that will see the application in the Access Panel or My Apps.

I now need to make additional configurations to the application, and go to the Configure menu. From here I can configure the name, external URL, pre-authentication method and internal URL, if I need to change something.

I choose to change the External URL so that I use my custom domain, and note the warning about creating a CNAME record in external DNS. After that I hit Save so that I can configure the Certificate.

Since I have already uploaded a certificate (see previous blog post https://systemcenterpoint.wordpress.com/2015/06/10/using-a-custom-domain-name-for-an-application-published-with-with-azure-ad-application-proxy/), I can just verify that it is correct.

When using passthrough I don’t need to configure any internal authentication method.

Another feature that is in Preview, is to allow Self-Service Access to the published application. I have configured this here, so that users can request access to the application from the Access Panel (https://myapps.microsoft.com).

After I have configured this and uploaded a logo, I am finished at this step, and can test the application using passthrough.

Testing the application using passthrough

When using Passthrough I can go directly to the external URL, which in my case is https://scom.skill.no/squaredup. And as expected, I can reach the internal Forms Based login page:

For the users and groups I have assigned access to, they will also see the Squared Up application in the Access Panel or in My Apps, this application is linked to the external URL:

Now I’m ready to do the next step which is change Pre-Authentication and use Azure AD Authentication and Single Sign-On.

Change Application to use Azure AD Authentication as Pre-Authentication

First I will reconfigure the Azure AD App Proxy Application, by changing the Preauthentication method to Azure Active Directory.

Next I need to configure to use Internal Authentication Method “Windows Integrated Authentication”. I also need to configure the Service Principal Name (SPN). Here I specify HTTP/scomdashboardserverfqdn, in my example this is HTTP/skill-scom02.skill.local.

PS! A new preview feature is available, to choose which login identity to delegate. I will continue using the default value of User principal name.

Since I now will use pre-authentication, it will be important to remember to assign individual users or groups to the Application. This enables me to control which users who will see the application under their My Apps and who will be able access the application’s external URL directly.

From the bottom part of the configuration settings I can configure Access Rules, which at this time is in Preview. This is cool, because I can for example require for this Application that users will be required to use multi-factor authentication. I have not enabled that here though.

After I’m finished reconfiguring the Azure AD App Proxy Application, I can save and continue with the other requirements.

Enable Windows Authentication for Squared Up

The Squared Up Web site supports Windows Authentication, the instructions for configuring that is described here: http://support.squaredup.com/support/solutions/articles/4136-enable-integrated-windows-authentication-single-sign-on-.

Follow that article and you should be ready for the next step.

It is a good idea at this point to verify that Windows Integrated Authentication is working correctly by browsing internally to http://scomdashboardserver/SquaredUp. Your current logged on user (if permissions are correct) should be logged in automatically.

Configure Kerberos Constrained Delegation for the Proxy Connector Server

I now need to configure so that the Server running the Proxy Connector can impersonate users pre-authenticating with Azure AD and use Windows Integrated Authentication to the Squared Up Server.

I find the Computer Account in Active Directory for the Connector Server, and on the Delegation tab click on “Trust this computer for delegation to specified services only”, and to “Use any authentication protocol”. Then I add the computer name for the web server that Squared Up is installed on and specify the http service as shown below (I already have an existing delegation set up):

This was the last step in my configuration, and I am almost ready to test.

If you, like me, have an environment consisting on both On-Premise and Azure Servers in a Hybrid Datacenter, please allow room for AD replication of these SPN’s and more.

Testing the published application with Azure AD Authentication!

Now I am ready to test the published proxy application with Azure AD Authentication.

When I go to my external URL https://scom.skill.no/squaredup, Azure AD will check if I already has an authenticated session, or else I will presented with the logon page for Azure AD (in Norwegian but you get the picture ;):

Remember from earlier that I have assigned the application either to a group of all or some users or directly to some pilot users for example.

If I log in with an assigned user, I will be directly logged in to the Squared Up Dashboard:

In addition to access the application via the Access Panel (https://myapps.microsoft.com), I can use the App Launcher menu in Office 365 and add the Squared Up Dashboard to the App chooser for easy access:

I can also access the Squared Up Application from the “My Apps” App on my Mobile Devices.

So to conclude, Squared Up is another great solution for publishing with Azure AD Application Proxy !

Publish the Service Manager Self Service Portal with Azure AD Application Proxy

The Scenario

Updated blog post: 10th November 2015. With todays release of Update Rollup 8 for Service Manager 2012 R2 (https://www.microsoft.com/en-us/download/details.aspx?id=49556) and the new HTML5 based Self Service Portal, I have made some changes to this blog post where the scenario is updated. Please read on for how to publish this portal externally via Azure AD App Proxy:

Recently in a SCSM LyncUp call news came of a coming Self Service Portal that the Service Manager Team are working on. This portal will no longer have a requirement for SharePoint and Silverlight, and will be built on HTML5. Stefan Johner has a good write-up on the features here: http://jhnr.ch/2015/08/22/service-manager-lync-up-summary-august-2015-new-portal-sneak-preview/.

For a while ago I had a blog article on how to publish the Cireson Self Service Portal via the Azure AD Application Proxy (https://systemcenterpoint.wordpress.com/2015/03/26/publish-the-cireson-self-service-portal-with-azure-ad-application-proxy/), and in this blog article I will describe how to publish the new SCSM Self Service Portal. This will give me some interesting possibilities for pre-authentication and controlling user access.

There are two authentication scenarios for publishing this Self Service Portal with Azure AD App Proxy:

  1. Publish without pre-authentication (pass through). This scenario is best used when the Self Service Portal is running Forms Authentication, so that the user can choose which identity they want to log in with. As the new SCSM Self Service Portal doesn’t support Forms Authentication, this is not really an option here.
  2. Publish with pre-authentication. This scenario will use Azure AD authentication, and is best used when the Self Service Portal is running Windows Authentication so that we can have single sign-on with the Azure AD identity.

It is the second scenario with pre-authentication I will configure here.

I went through these steps:

Verify Windows Authentication for Service Manager Self Service Portal

The Service Manager Self Service Portal installs per default with Windows Integrated Authentication. From my environment, I can verify the following configuration settings:

  • Windows Authentication is enabled for the Web Site Application
  • On Advanced settings for the Web Site Application, Kernel Mode Authentication Enabled and Extended Protection to Off. For Providers Negotiate are listed on top.

It is a good idea at this point to verify that Windows Integrated Authentication is working correctly by browsing internally to http[s]://scsmportalservername:[port]/selfserviceportal. Your current logged on user (if permissions are correct) should be logged in automatically.

Create the Application in Azure AD

In this next step, I will create the Proxy Application in Azure AD where the Self Service Portal will be published. To be able to create Proxy Applications I will need to have either an Enterprise Mobility Suite license plan, or Azure AD Basic/Premium license plan. From the Azure Management Portal and Active Directory, under Applications, I add a new Application and select to “Publish an application that will be accessible from outside your network”:

I will then give a name for my application, specify the internal URL and pre-authentication method. I name my application “SCSM Self Service Portal”, use “http://portalserverfqdn:%5Bport%5D&#8221; as internal URL and choose Azure Active Directory as Pre-Authentication method.

After the Proxy Application is added, there are some additional configurations to be done. If I have not already, Application Proxy for the directory have to be enabled. I have created other Proxy Applications before this, so I have already done that.

I also need to download the Application Proxy connector, install and register this on a Server that is member of my own Active Directory. The Server that I choose can be either on an On-Premise network, or in an Azure Network. As long as the Server running the Proxy connector can reach the internal URL, I can choose which Server that best fits my needs.

Update: Regarding AADP Connector, you can now greate connector groups and configure the application to use the group of connector(s) you choose:

AADPConnectorGroup

Since I choose to use pre-authentication, I can also assign individual users or groups to the Application. This enables me to control which users who will see the application under their My Apps and who will be able access the application’s external URL directly.

I now need to make additional configurations to the application, and go to the Configure menu. From here I can configure the name, external URL, pre-authentication method and internal URL, if I need to change something.

I choose to change the External URL so that I use my custom domain, and note the warning about creating a CNAME record in external DNS. After that I hit Save so that I can configure the Certificate.

AADPCustomDomain

Since I have already uploaded a certificate (see previous blog post https://systemcenterpoint.wordpress.com/2015/06/10/using-a-custom-domain-name-for-an-application-published-with-with-azure-ad-application-proxy/), I can just verify that it is correct.

AADPCert

Next I need to configure to use Internal Authentication Method “Windows Integrated Authentication”. I also need to configure the Service Principal Name (SPN). Here I specify HTTP/portalserverfqdn, in my example this is HTTP/az-scsm-ms01.skill.local.

Update: You can now choose which Identity to delegate, in this case UPN is fine.

AADPIntegratedWinAuth

From the bottom part of the configuration settings I can configure Acces Rules, which at this time is in Preview. This is cool, because I can for example require for this Application that users will be required to use multi-factor authentication. I have not enabled that here though.

Another feature that is in Preview, is to allow Self-Service Access to the published application. I have configured this here, so that users can request access to the application from the Access Panel (https://myapps.microsoft.com).

After I have configured this and uploaded a logo, I am finished at this step, and now need to configure some more settings in my local Active Directory.

Configure Kerberos Constrained Delegation for the Proxy Connector Server

I now need to configure so that the Server running the Proxy Connector can impersonate users pre-authenticating with Azure AD and use Windows Integrated Authentication to the Self Service Portal Server.

I find the Computer Account in Active Directory for the Connector Server, and on the Delegation tab click on “Trust this computer for delegation to specified services only”, and to “Use any authentication protocol”. Then I add the computer name for the portal server and specify the http service as shown below (I already have an existing delegation set up):

This was the last step in my configuration, and I am almost ready to test.

If you, like me, have an environment consisting on both On-Premise and Azure Servers in a Hybrid Datacenter, please allow room for AD replication of these SPN’s and more.

Testing the published application!

Now I am ready to test the published proxy application.

Remember from earlier that I have assigned the application either to a group of all or some users or directly to some pilot users for example.

I will now log on with my Azure AD user (which of course is synchronized from local Active Directory), and I will use the URL https://myapps.microsoft.com.

After logging on, I can see the applications I have access to. Some of these are SaaS applications I have configured, some are applications we have developed ourselves, and I can see the published Self Service Portal:

(Don’t mind the Norwegian captions and texts, you get the idea;)

I then click on the SCSM Self Service Portal, and can confirm that I am able to access the Self Service Portal. See the external URL I specified and that indeed I’m logged in with my Active Directory user with SSO.

AADPSCSMPortal

Another cool thing is that I can use the App menu in Office 365 and add the Self Service Portal to the App chooser for easy access:

I can now also access the Self Service Application from the “My Apps” App on my Mobile Devices.

Service Manager Self Service Portal – Password Reset with Azure AD Premium

One challenge with using a Self Service Portal for Service Manager is that the user must have a valid Active Directory user name and password to be able to log on to the Self Service portal. So what do you do if have forgotten your password or the password has expired?

Previously in Service Manager, we have addressed this by having another user request a password reset on your behalf, that user being either a Service Desk analysts or a Super User allowed to create that password reset request.

The optimal solution would be to enable the user to reset their own password. This blog article will show how you can use Azure AD Premium to accomplish just that!

Some requirements

First of all, this solution will have some requirements:

  • You must have Azure AD with Directory Integration enabled for your on-premises Active Directory
  • You must have configured password write-back to on-premises Active Directory

  • You must configure a user password reset policy in Azure AD, and users must at least have one authentication method defined:
  • You must have either configured federated (SSO with ADFS) users or users with password synchronization in the directory integration set up
  • Each user, and any administrator setting this up, needs to have an Azure AD Premium license. Azure AD Premium is either licensed directly or part of the Enterprise Mobility Suite (EMS)

Some recommendations

In addition to the requirements above, I have some recommendations as well:

How this works

With all these requirements in place, this is how it works when a user tries to access the Self Service Portal and wants to reset the password.

In my environment, I am using the Self Service Portal from Cireson, but this should work for the built-in Service Manager Portal as well.

  1. First, I go to my application URL, https://selfservice.skill.no. Since I have published this with Azure AD App Proxy, I must sign in with my hybrid Azure AD identity. I am presented with my customized Azure AD sign in page:
  2. Since I have forgotten my password or maybe my password has expired, I select the link for “Can’t access your account” under the Sign in button. This will bring me to the reset password page where I can specify my user identity and write the captcha code:
  3. Next I select one of my defined authentication methods, in this example I will receive a text message to my mobile phone:
  4. I receive the SMS verification code and type it in:
  5. Next after successfully verifying my SMS code, I can specify my new password:
  6. And my password has been reset:
  7. Since my user are a federated user I will now be redirected back to the ADFS on-premises and my customized sign-in page there:

  8. After logging in, I’m redirected directly to the published Self Service Portal:

Conclusion

By using the powers of Azure AD Premium and directory integration with my local Active Directory, I can as an end-user reset my passwords, and directly access my published Self Service Portal for Service Manager in this case.

PS! For those that are not in Azure AD yet, Cireson will soon deliver their own password reset solution in the Identity Management Stream. I’ll come back to that later.

Discussing Azure AD on Skill TV

Recently I did an interview on our video blog at Skill TV, talking about Azure AD with our HR Manager Elham Binai.


The interview is in Norwegian and can be seen here: https://www.youtube.com/watch?v=pkRHW-ZJC2w

I have below provided a translated version from our interview transcript. While some questions and answers flowed a little bit different in the real recording, the transcript quite covers it all. Apologize for a couple of cuts as well, we had some problems with noise from spotlight fans and had to pause recording when that happened.

Here it goes:

Elham: Today I am lucky to have Jan Vidar Elven with me here at Skill TV. He is an Architect in our Infrastructure Department and an expert on the Azure Active Directory, which is the topic of today. Welcome you are, Jan Vidar.

Jan Vidar: Thanks for that, Elham. Very glad to come and talk about something I am very engaged in and work a lot with!

Elham: Jan Vidar, in recent years we have moved us more and more to the Cloud. More companies are using these Cloud solutions. However, it has not been without challenges, many companies are concerned that their business secrets should leak out, afraid of hackers, unfortunate leaks etc. … simply the security around the cloud. What are your thoughts about this?

Jan Vidar: Well, when you move the solutions out in the cloud, so also follows users identities and access control with these. It is then important to have confidence that the authentication and authorization take place in a secure manner, so that one can be assured that no one but those who should HAVE access GET access to their solutions. It is this and more Azure Active Directory delivers. Azure AD is a platform for identity management and access control solutions in the cloud, AND for the local data center.

Elham: What are the challenges around users now? Moreover, what does it require when it comes to security around systems that companies use? We live in a world where users use many devices and they take these with them everywhere … This offers some challenges. How can you resolve it with Azure AD?

Jan Vidar: The challenge of users now is two-part. One is that they increasingly use the PC’s and mobile devices delivered to them by their workplace at home or on the go. The second is that they are using their personal mobile phones, tablets and laptops to log on to the company’s solutions. Very often, these are also to the disposal of the other members in the family. When the solutions are located in the cloud, it can be a concern that only the use of your user name and password is not enough, especially when some Apps store the credentials as well.

A solution to this in Azure AD is to make use of Multi-factor authentication. Multi-factor authentication is free for Office 365 users and Azure AD administrators. With the MFA do you get an SMS, a phone call or a notification in a separate App where you have to authenticate authentication before you can access. We can also choose to use MFA only when the user is outside the company’s network. In the Premium version of Azure AD, MFA is included in hybrid scenarios so that you can protect your own solutions in the on premise data center as well.

Another way to solve the challenges is to require that devices be registered before you get access to log on to the solutions in the cloud. You can also require that the devices should be in compliance with company policy, for example require that they have a password on the lock screen. Requirements for registration of mobile devices can be set up in the Office 365, which is powered by the MDM platform in Microsoft Intune, or you can use of the entire platform to configure Intune MDM and MAM, Mobile Device Management and Mobile Application Management, for device management, application management and policies for the company’s Devices and Apps. All this is linked to the user’s identity in the Azure AD.

Elham: Many IT managers believe that things were easier in the past, where they were very close to their solutions and data and now might feel that they have lost control … What is your experience around that?

Jan Vidar: Not only are the users and devices spread, but the data exchanged in the solutions both internally between each other and externally with others is also important to have control on. When it was easier in the past, it probably meant that you had the solutions in the local data center, you had them integrated with Active Directory, and had one simple and transparent Single Sign-On, a user name and a password to all or at least most services at the same time that we had control of the data locally. When we now apply the solutions in the cloud, we must have a solution that facilitates the same, and at the same time to have control of the data. Azure AD together with Azure Rights Management Services can associate the identity and protection at the file level. However, this only applies to the solutions in the cloud and the Apps that IT has control over and know about.

Elham: The IT department don’t have much control over all the cloud apps and outside the local firewall and it concerns many, what is your advice around this? Users are going to use it anyway, what should our customers think about?

Jan Vidar: What we are talking about here is what is we call shadow IT; users find their own solutions where there is lack of personalized services from the company. Email, file sharing, social media, productivity applications are areas for SaaS applications used by users in business context. This is concerns applications, user names, passwords, and data that IT has no control over. What can IT do? Azure AD has the ability to facilitate applications from a catalog of over 2400 SaaS applications, you can also add your own self-developed applications and as well publish internal applications from the local data center. That way one can arrange for authentication via Azure AD, Single Sign-On for those applications that support it, or Same Sign-On with password storage for other applications. In this way IT can take control of your applications and facilitate the access of its users. IT can also run discovery, and reports to find out what the users actually use on the devices they has to identify if there are applications it is important to provide and facilitate.

Elham: We know Active Directory, but now it can also be located in Azure if you wish it? It can then be managed in both cloud and on premise, explain this a bit more.

Jan Vidar: By integrating local Active Directory with Azure AD through synchronization, companies can manage users and groups in one place at the same time as you can give access to solutions in the cloud. With hybrid identities and Single Sign-On, users can relate to the same user name and password for either using solutions in the cloud or in the local data center, at the same time that IT has control of the authentication, both who, what, where and when.

Elham: IT can actually go in and see how, when and where users have logged in from – and have more control over the activities?

Jan Vidar: Yes, Azure AD Premium will provide opportunities to monitor and run reports on authentications and application usage, as well as view suspicious pattern in sign-on, credentials that may have been lost, or devices that may be infected, for example.

Elham: Does this work on any device? Single Sign-On? You have only one password and can log in once?

Jan Vidar: Yes, both iOS, Android and Mac are supported in addition to Windows and Windows Phone. Office applications, SSO, Device Management and Rights Management is supported on these, and all linked together with your identity in Azure AD. With the upcoming Windows 10, these devices can also be joined directly into Azure AD, and you can log on with your Azure AD identity. One can also use a pin code associated with the device for even easier authentication, or use biometric authentication with Windows Hello!

Elham: How will this take away the uncertainty around the Cloud, security, and control over users?

Jan Vidar: It all starts with control of identities, and Azure AD will facilitate this for the solutions running in the cloud, and not necessarily just for Microsoft solutions but also for SaaS solutions that support SSO and Federation with Azure AD. With control of the devices and rights management for the files as well, as well as security mechanisms for authentication and conditional access, you have the tools you need to get started. Azure AD can also provide for Self Service IT, where users can reset their passwords, or access to an application if they want it.

Elham: Azure AD has really simplified my life without me noticing it, I can log in from anywhere and on any device. If customers would like to know more about this then you can come visit and tell about how Azure AD can simplify a lot for IT departments as well as security. Thank you so much for that I got to talk to you today.

Jan Vidar: Thank you for inviting me!